The Eric Snowden leaks are expected to be bad for the IT business in the United States. According to a study by the the Information Technology and Innovation Foundation, the US cloud computing industry will lose as much as $35 billion by 2016 because foreign businesses will abandon US-based cloud computing services out of fear for the security of their applications and data. Alarmists everywhere have taken up the cry that “Encryption is Dead”. If you are in the business of securing financial data or other sensitive data, this will keep you up at night. Depending on your line of work, it may result in your clients calling you, worried about their data. Depending on where your clients are located, you could stand to lose a lot of business from data security hysteria.
Big business and international firms are not the only entities worried about this shift in ideas about data security. Consumers and individual users also care about their security and privacy. According to another study by the Pew Research Center, 86% of internet users have taken steps online to remove or mask their digital footprints. 55% of internet users have taken steps to avoid observation by specific people, organizations, or the government. People are becoming rightly concerned about their privacy. If you supply consumer-oriented services in your business, you are (sometimes unreasonably) expected to safeguard their information — like that one password that they use for every single one of their accounts.
This widespread lost of trust in popular cryptographic technologies may well be spreading gloom in the IT industry, but there are some silver linings to be found among the clouds.
The first bright spot is the fact that encryption is not dead. Bruce Schneier, perhaps the world’s preeminent security expert, in response to the Snowden links and the NSA capabilities has plainly stated, “I trust the mathematics.” In essence, Schneier has pointed out that the NSA’s $250 million annual budget to defeat encryption has gained much of its success not by attacking the essential algorithms and mathematical principles of encryption but rather implementation flaws and poorly written software. In particular the NSA has spent their $250 million to:
- Advocate flawed methods to standards-making bodies
- Work with vendors to obtain data before encryption or after decryption
- Convince developers to put backdoors into encryption software
- Locate and catalog unpatched holes and software bugs in the underlying software stack (browsers, mail clients, operating systems, network software, router firmware, etc.)
- Gain the ability to sign a certificate using a certificate authority’s private key
The second bright spot is that there is opportunity in chaos. The widespread news coverage and awareness of encryption vulnerabilities has caused an increase in public interest in security issues. There is an opportunity for companies to differentiate themselves by providing improved security as a selling point. One might even say that the Snowden leaks are a clarion call for a long-overdue improvement of software security. In fact their effect may even be to generate demand for better software.
If you are concerned about security within your business, chances are that you can find some holes. You may find servers that need updating. You may find unintentional holes or even cunning back doors in FOSS plugins for your framework or CMS (Joomla, Drupal, WordPress, etc.). You may find that the certificate bundles distributed with web browsers in your enterprise include certificate authorities which should no longer be trusted. Your organization, like the New York Times or Twitter, might be vulnerable to some old-fashioned human engineering because your DNS provider isn’t paying attention.
If you are concerned about the security of your organization’s data, call Boomcycle today at . We’d be happy to help you sleep better at night!